Expel Workbench

the expel workbench connector enables seamless integration with swimlane turbine, allowing for automated security incident management and threat response expel workbench is a comprehensive security operations platform that enables real time threat detection and response this connector allows swimlane turbine users to integrate with expel workbench, providing streamlined access to a suite of investigative and remediation actions by leveraging this integration, security teams can automate the retrieval and updating of alerts, investigations, and associated actions, enhancing their incident response capabilities and operational efficiency within the swimlane ecosystem prerequisites to effectively utilize the expel workbench connector with swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for expel workbench api access api key unique identifier to authenticate requests to expel workbench obtaining an api key api keys are obtained through your expel engagement manager please contact expel capabilities this expel workbench integration provides the following capabilities get expel alerts get investigations get investigation actions get investigation alerts get investigation findings get investigation remediations get security devices get vendor alerts update alerts update investigation update investigative actions notes to use query parameters, refer to the documentation to identify the specific fields available for a particular action documentation https //workbench expel io/api/v2/docs/ configurations expel workbench api key authentication authenticates using api token configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get expel alerts retrieves a list of alert records from expel workbench, offering an overview of security notifications endpoint url api/v2/expel alerts method get input argument name type required description parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"parameters" {"filter" \[{"field" "string","relationship field" "string","operator" "string","value" "string"}],"include" "string","sorting" "string","page" \[{"field" "string","value" 123}],"flag" \[{"field" "string","value" "string"}]}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes alert type string response data data attributes created at string response data data attributes expel name string response data data attributes expel severity string response data data attributes expel version string response data data attributes expel alias name string response data data attributes expel signature id string response data data attributes expel message string response data data attributes ref event id object response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string","page" {"offset" 123,"limit" 123,"total" 123}},"links" {"self" "string"},"data" \[{"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {},"links" {},"relationships" {}}],"included" \[{"file name" "example name","file" "string"}]} get investigation actions retrieve a list of actions linked to an investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/investigative actions method get input argument name type required description path parameters investigation id string required investigation id parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes status string response data data attributes title string response data data attributes instructions string response data data attributes created at string response data data attributes updated at string response data data attributes status updated at string response data data attributes reason string response data data attributes results string response data data attributes close reason object response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string","page" {"offset" 123,"limit" 123,"total" 123}},"links" {"self" "string"},"data" \[{"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {},"links" {},"relationships" {}}],"included" \[{"file name" "example name","file" "string"}]} get investigation alerts retrieve alerts linked to a given investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/expel alerts method get input argument name type required description path parameters investigation id string required investigation id parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data file name string response data data file string response data included array output field included included file name string name of the resource included file string output field included file output example {"status code" 200,"response headers" {"content type" "application/vnd api+json","transfer encoding" "chunked","connection" "keep alive","date" "thu, 02 may 2024 05 49 00 gmt","vary" "accept encoding","x expelinc req id" "3624cae4 bb19 45f3 9155 68cbf5473522","access control allow origin" " ","access control allow methods" "get, post, patch, delete, options","access control allow headers" "","cache control" "private, must revalidate, max age=0","expires" "thu, 01 jan 1970 00 00 00","server" "ngi get investigation findings retrieve findings linked to a specific investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/findings method get input argument name type required description path parameters investigation id string required investigation id parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes title string response data data attributes finding object response data data attributes created at string response data data attributes updated at string response data data attributes deleted at object response data data attributes rank number response data data attributes finding type object response data data attributes finding data object response data data links object response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string","page" {"offset" 123,"limit" 123,"total" 123}},"links" {"self" "string"},"data" \[{"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {},"links" {},"relationships" {}}],"included" \[{"file name" "example name","file" "string"}]} get investigation remediations retrieve remediation records for a given investigation id in expel workbench, requiring the investigation id as a path parameter endpoint url api/v2/investigations/{{investigation id}}/remediation actions method get input argument name type required description path parameters investigation id string required investigation id parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes status string response data data attributes action string response data data attributes created at string response data data attributes updated at string response data data attributes status updated at string response data data attributes deleted at object response data data attributes template name string response data data attributes version string response data data attributes action type string response data output example {"status code" 200,"response headers" {"content type" "application/vnd api+json","transfer encoding" "chunked","connection" "keep alive","date" "wed, 01 may 2024 11 02 19 gmt","vary" "accept encoding","x expelinc req id" "608e7985 0a1d 410a 9ac4 5df1b9bd0a62","access control allow origin" " ","access control allow methods" "get, post, patch, delete, options","access control allow headers" "","cache control" "private, must revalidate, max age=0","expires" "thu, 01 jan 1970 00 00 00","server" "ngi get investigations retrieve a list of investigation records from expel workbench to review security incidents and their statuses endpoint url api/v2/investigations method get input argument name type required description parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"parameters" {"filter" \[{"field" "string","relationship field" "string","operator" "string","value" "string"}],"include" "string","sorting" "string","page" \[{"field" "string","value" 123}],"flag" \[{"field" "string","value" "string"}]}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes created at string response data data attributes analyst severity object response data data attributes title string response data data attributes decision string response data data attributes is incident boolean response data data attributes threat type object response data data attributes attack vector object response data data attributes detection type object response data data attributes attack timing object response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string","page" {"offset" 123,"limit" 123,"total" 123}},"links" {"self" "string"},"data" \[{"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {},"links" {},"relationships" {}}],"included" \[{"file name" "example name","file" "string"}]} get security devices retrieve a detailed list of security devices, including type and status, from expel workbench endpoint url api/v2/security devices method get input argument name type required description parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"parameters" {"filter" \[{"field" "name","relationship field" "","operator" "^","value" "m"},{"field" "device type","relationship field" "","operator" " ","value" "cloud"}],"include" "investigative actions,organization","sorting" "name, created at","page" \[{"field" "limit","value" 1}],"flag" \[{"field" "scope","value" "is assigned to a user"},{"field" "consistency mode","value" "eventual"}]}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data type string response data data id string response data data attributes object response data data attributes name string response data data attributes location string response data data attributes status string response data data attributes device type string response data data attributes created at string response data data attributes updated at string response data data attributes status updated at string response data data attributes device spec object response data data attributes plugin slug string response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string","page" {"offset" 123,"limit" 123,"total" 123}},"links" {"self" "string"},"data" \[{"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {},"links" {},"relationships" {}}],"included" \[{"file name" "example name","file" "string"}]} get vendor alerts retrieve a comprehensive list of vendor alerts from expel workbench to overview security notifications endpoint url api/v2/vendor alerts method get input argument name type required description parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"parameters" {"filter" \[{"field" "string","relationship field" "string","operator" "string","value" "string"}],"include" "string","sorting" "string","page" \[{"field" "string","value" 123}],"flag" \[{"field" "string","value" "string"}]}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier meta page object output field meta page meta page offset number output field meta page offset meta page limit number output field meta page limit meta page total number output field meta page total links object output field links links self string output field links self data array response data data file name string response data data file string response data included array output field included included file name string name of the resource included file string output field included file output example {"status code" 200,"response headers" {"content type" "application/vnd api+json","transfer encoding" "chunked","connection" "keep alive","date" "wed, 01 may 2024 23 18 59 gmt","vary" "accept encoding","x expelinc req id" "131d107e d777 43da a5f1 db7e9965c020","access control allow origin" " ","access control allow methods" "get, post, patch, delete, options","access control allow headers" "","cache control" "private, must revalidate, max age=0","expires" "thu, 01 jan 1970 00 00 00","server" "ngi update alerts updates specific fields and relationships for an alert in expel workbench using the provided expel alert id endpoint url api/v2/expel alerts/{{expel alert id}} method patch input argument name type required description path parameters expel alert id string required expel alert id data object optional response data data attributes object optional response data data attributes expel severity string optional expel alert severity data attributes alert type string optional expel alert type allows null value also data attributes close comment string optional expel alert close comment allows empty string or null data attributes close reason string optional expel alert close reason data attributes cust disp alerts in critical incidents count number optional allows null value data attributes cust disp alerts in incidents count number optional allows null value data attributes cust disp alerts in investigations count number optional allows null value data attributes cust disp closed alerts count number optional allows null value data attributes cust disp disposed alerts count number optional allows null value data attributes disposition alerts in incidents count number optional allows null value data attributes disposition alerts in investigations count number optional allows null value data attributes disposition closed alerts count number optional allows null value data attributes disposition disposed alerts count number optional allows null value data attributes disposition alerts in critical incidents count number optional allows null value data attributes expel alias name string optional expel alert alias allows empty string or null length of the string must be less than or equal to 128 characters data attributes expel message string optional expel alert message allows empty string or null data attributes expel name string optional expel alert name allows empty string or null data attributes expel signature id string optional expel alert signature allows empty string or null length of the string must be less than or equal to 128 characters data attributes expel version string optional expel alert version allows empty string or null length of the string must be less than or equal to 40 characters data attributes git rule url string optional url to rule definition for alert allows empty string or null data attributes rapid triage priority string optional expel alert rapid triage priority data attributes ref event id string optional referring event id allows null value input example {"path parameters" {"expel alert id" "44cdc7ea b5a3 496d b373 6f440ae0afd4"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier links object output field links links self string output field links self data object response data data type string response data data id string response data data attributes object response data data attributes alert type string response data data attributes created at string response data data attributes expel name string response data data attributes expel severity string response data data attributes expel version string response data data attributes expel alias name string response data data attributes expel signature id string response data data attributes expel message string response data data attributes ref event id string response data data attributes status string response data data attributes close reason string response data data attributes close comment string response data data attributes vendor alert count number response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string"},"links" {"self" "string"},"data" {"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {"alert type" "string","created at" "string","expel name" "example name","expel severity" "string","expel version" "string","expel alias name" "example name","expel signature id" "string","expel message" "string","ref event id" "string","status" "active","close reason" "string","close comment" "string","vendor alert count" 123,"activ update investigation updates fields and relationships for an existing investigation in expel workbench using the provided investigation id endpoint url api/v2/investigations/{{investigation id}} method patch input argument name type required description path parameters investigation id string required parameters for the update investigation action data object optional response data data attributes object optional response data data attributes analyst severity string optional analyst severity allows null value data attributes title string optional allows empty string or null value length of the string must be less than or equal to 128 characters data attributes attack timing string optional attack timing allows null value data attributes attack vector string optional attack vector allows null value data attributes close comment string optional close comment allows empty string or null value data attributes critical comment string optional critical comment allows empty string or null value data attributes decision string optional decision allows null value data attributes detection type string optional detection type allows null value data attributes initial attack vector string optional initial attack vector allows empty string or null value data attributes is downgrade boolean optional is downgrade data attributes is incident boolean optional is incident data attributes is surge boolean optional is surge data attributes last published value string optional last published value allows empty string or null value data attributes malware family string optional malware family allows empty string or null value data attributes next steps string optional recommended next steps for starting this investigation or handling this incident allows empty string or null value data attributes open reason string optional open reason allows null value data attributes open summary string optional reason the investigation/incident was opened allows empty string or null value data attributes source reason string optional source reason allows null value data attributes threat type string optional threat type allows null value input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi jsonapi version string output field jsonapi version meta object output field meta meta reqid string unique identifier links object output field links links self string output field links self data object response data data type string response data data id string response data data attributes object response data data attributes created at string response data data attributes analyst severity object response data data attributes title string response data data attributes decision object response data data attributes is incident boolean response data data attributes threat type object response data data attributes attack vector object response data data attributes detection type object response data data attributes attack timing object response data data attributes attack lifecycle object response data data attributes close comment object response data data attributes updated at string response data data attributes critical comment object response data output example {"jsonapi" {"version" "string"},"meta" {"reqid" "string"},"links" {"self" "string"},"data" {"type" "string","id" "12345678 1234 1234 1234 123456789abc","attributes" {"created at" "string","analyst severity" {},"title" "string","decision" {},"is incident"\ true,"threat type" {},"attack vector" {},"detection type" {},"attack timing" {},"attack lifecycle" {},"close comment" {},"updated at" "string","critical comment" {},"lead description" {},"source reason" "string"},"links" {"self" "string"},"relat update investigative actions updates specific document fields and relationships in expel workbench using the investigation id related resources can be included in the response endpoint url /api/v2/investigations/{{investigation id}}/investigative actions method patch input argument name type required description path parameters investigation id string required investigation id parameters activity authorised boolean optional verify investigative action is authorized parameters activity verified by string optional verify investigative action is authorized parameters results string optional the result of the investigative action parameters filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable parameters filter field string required the field you want to filter parameters filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint parameters filter operator string optional a single character operator parameters filter value string required the operand value parameters include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls parameters sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively parameters page array optional pagination in the workbench api uses an limit/offset system parameters page field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied parameters page value number required limit/offset value parameters flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend parameters flag field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api parameters flag value string required it will take variable values or scope's name input example {"path parameters" {"investigation id" "29af0672 7dbe 46e4 96ce 69a2c3ac2b9b"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 13 dec 2024 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example access control allow headers http response header access control allow headers access control allow methods http response header access control allow methods get, post, patch, delete, options access control allow origin http response header access control allow origin cache control directives for caching mechanisms private, must revalidate, max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content type the media type of the resource application/vnd api+json date the date and time at which the message was originated thu, 02 may 2024 05 49 00 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 server information about the software used by the origin server nginx set cookie http response header set cookie ingresscookie=9a78155f d891 4756 b8be 50482ed70c23; path=/; same site=lax; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x expelinc req id http response header x expelinc req id 608e7985 0a1d 410a 9ac4 5df1b9bd0a62 x request id a unique identifier for the request d124f99e 57d7 4a6d a98f 2e8ebb31e530